From owner-freebsd-ipfw@freebsd.org Tue Feb 6 17:14:51 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81A1BEEA7F9 for ; Tue, 6 Feb 2018 17:14:51 +0000 (UTC) (envelope-from chris@cretaforce.gr) Received: from smtp1.cretaforce.gr (smtp1.cretaforce.gr [88.99.175.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.cretaforce.gr", Issuer "RapidSSL SHA256 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F12717494C for ; Tue, 6 Feb 2018 17:14:50 +0000 (UTC) (envelope-from chris@cretaforce.gr) Received: from server1.cretaforce.gr (server1.cretaforce.gr [138.201.248.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.cretaforce.gr", Issuer "RapidSSL SHA256 CA" (verified OK)) by smtp1.cretaforce.gr (Postfix) with ESMTPS id F18F5E0891 for ; Tue, 6 Feb 2018 19:07:31 +0200 (EET) Received: from [192.168.2.4] (athedsl-4555123.home.otenet.gr [94.70.77.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: chris@cretaforce.gr) by server1.cretaforce.gr (Postfix) with ESMTPSA id B5ADB2730A for ; Tue, 6 Feb 2018 19:07:31 +0200 (EET) From: Christos Chatzaras Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Recommendations for my rules Message-Id: Date: Tue, 6 Feb 2018 19:07:29 +0200 To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.3445.5.20) X-CretaForce-MailScanner-Information: Please contact the ISP for more information X-CretaForce-MailScanner-ID: F18F5E0891.AF2D2 X-CretaForce-MailScanner: Found to be clean X-CretaForce-MailScanner-From: chris@cretaforce.gr X-Spam-Status: No X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2018 17:14:51 -0000 Can someone with experience with ipfw have a look to these rules? I want to have incoming + outgoing: FTP (passive + active) SSH MySQL DNS WWW (http + https) MAIL (smtps + submission) Only incoming: MAIL (pop3, imap, pop3s, imaps) SNMP Only outgoing: MAIL (smtp for some specific users to avoid direct telnet connections to = port 25 from other users) #!/bin/sh # Flush all rules before we begin. ipfw -q -f flush # Set rules command prefix cmd=3D"ipfw -q add " cmd2=3D"ipfw -q " pif=3D`ifconfig -l | awk '{ print $1 }'` # Allow loopback and deny loopback spoofing $cmd 00010 allow ip from any to any via lo0 $cmd 00020 deny ip from any to 127.0.0.0/8 $cmd 00030 deny ip from 127.0.0.0/8 to any # Checks stateful rules $cmd 00050 check-state $cmd 00060 deny tcp from any to any established # SSHGUARD $cmd 01000 reset ip from 'table(22)' to any # NTP $cmd 01005 allow udp from any to any dst-port 123 out via $pif = keep-state # ICMP $cmd 01010 allow icmp from any to any out via $pif keep-state $cmd 01011 allow icmp from any to any in via $pif # FTP $cmd 10001 allow tcp from me to any dst-port 21 out via $pif setup = keep-state $cmd 10002 allow tcp from any 20 to me in via $pif setup keep-state $cmd 10003 allow tcp from me to any dst-port 49152-65535 out via $pif = keep-state $cmd 10004 allow tcp from any to me 21 in via $pif setup keep-state $cmd 10004 allow tcp from me 20,21 to any out via $pif keep-state $cmd 10006 allow tcp from any to me 50000-51000 in via $pif setup = keep-state # SSH $cmd 10010 allow tcp from any to me dst-port 22 in via $pif setup = keep-state $cmd 10011 allow tcp from me to any dst-port 22 out via $pif setup = keep-state # DNS $cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup = keep-state $cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state $cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup = keep-state $cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state # SNMP $cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state # EPP $cmd 10027 allow tcp from me to any dst-port 700 out via $pif setup = keep-state # WWW $cmd 10030 allow tcp from me to any dst-port 80 out via $pif setup = keep-state $cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup = keep-state $cmd 10032 allow tcp from any to me dst-port 80 in via $pif setup = keep-state $cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup = keep-state # MAIL $cmd 10039 allow tcp from any to me dst-port 25 in via $pif setup = keep-state $cmd 10040 allow tcp from me to any dst-port 25 uid root out via $pif = setup keep-state $cmd 10041 allow tcp from me to any dst-port 25 uid postfix out via $pif = setup keep-state $cmd 10042 allow tcp from me to any dst-port 25 uid filter out via $pif = setup keep-state $cmd 10044 allow tcp from any to me dst-port 465 in via $pif setup = keep-state $cmd 10045 allow tcp from me to any dst-port 465 out via $pif setup = keep-state $cmd 10046 allow tcp from any to me dst-port 587 in via $pif setup = keep-state $cmd 10047 allow tcp from me to any dst-port 587 out via $pif setup = keep-state $cmd 10048 allow tcp from any to me dst-port 110 in via $pif setup = keep-state $cmd 10049 allow tcp from any to me dst-port 995 in via $pif setup = keep-state $cmd 10050 allow tcp from any to me dst-port 143 in via $pif setup = keep-state $cmd 10051 allow tcp from any to me dst-port 993 in via $pif setup = keep-state # MYSQL $cmd 10100 allow tcp from me to any dst-port 3306 out via $pif setup = keep-state $cmd 10101 allow tcp from any to me dst-port 3306 in via $pif setup = keep-state # WHOIS OUTGOING $cmd 10200 allow tcp from me to any dst-port 43 out via $pif setup = keep-state # Deny everything else, and log it $cmd 56599 deny log all from any to any